CN106778103B - Reinforcement method, system and decryption method for preventing reverse cracking of android application program - Google Patents
Reinforcement method, system and decryption method for preventing reverse cracking of android application program Download PDFInfo
- Publication number
- CN106778103B CN106778103B CN201611265457.0A CN201611265457A CN106778103B CN 106778103 B CN106778103 B CN 106778103B CN 201611265457 A CN201611265457 A CN 201611265457A CN 106778103 B CN106778103 B CN 106778103B
- Authority
- CN
- China
- Prior art keywords
- file
- class
- android
- program
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 230000002441 reversible effect Effects 0.000 title claims abstract description 22
- 238000005336 cracking Methods 0.000 title claims abstract description 21
- 230000002787 reinforcement Effects 0.000 title claims description 9
- 230000003014 reinforcing effect Effects 0.000 claims abstract description 17
- 230000006870 function Effects 0.000 claims description 46
- 238000009434 installation Methods 0.000 claims description 26
- 238000007619 statistical method Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 8
- 238000012935 Averaging Methods 0.000 claims description 7
- 238000012360 testing method Methods 0.000 claims description 5
- 230000008439 repair process Effects 0.000 claims description 3
- 238000000547 structure data Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 3
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 241000239290 Araneae Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a reinforcing method, a system and a decryption method for preventing reverse cracking of an Android application program, wherein the reinforcing method and the system utilize an apktool tool to disassemble the Android application program into a smali file, traverse all classes, add clinit, use the apktool to recompile the Android application program into a DEX file, and perform SO reinforcing protection on a key SO used for DEX reinforcing. The decryption method is that the distributed files are loaded according to needs, the system environment is judged, and whether the virtual machine is tampered or not is detected through mathematical statistics. By applying the encryption and decryption technical scheme provided by the invention, an innovative thought and a feasible technical solution are provided for the encryption and decryption of the application under the Android platform, and the encryption and decryption technical scheme can be used for protecting the application under the Android platform, preventing the program from being attacked by hacker means such as decompilation and the like, protecting the confidentiality of commercial software and protecting the application safety of a user.
Description
Technical Field
The invention relates to the technical field of application encryption based on a mobile terminal, in particular to a reinforcing method, a reinforcing system and a decryption method for preventing reverse cracking of an android application program.
Background
At present, the Android operating system developed by Google corporation is the highest mobile intelligent terminal platform in the global market share. The number of Android application software is continuously increased, and a good software sales mode is established. As with the traditional PC platform, the successful commercialization of Android applications has also led to their reverse analysis and cracking.
The reverse analysis (recovery analysis) of the application software includes:
firstly, analyzing an executable code of software by adopting methods such as disassembling, decompiling, debugging and the like so as to know the execution flow, algorithm realization and the like of the code;
secondly, analyzing configuration files and data files of the software to obtain formats, semantics and the like of the files;
and thirdly, analyzing the network communication data of the software to obtain the protocol format, the protocol semantics, the data encryption method, the data specific meaning and the like of the communication between the software and the server.
The latter two types of analysis are based on the first type of analysis, i.e., executable code needs to be analyzed first to further analyze configuration files, data files, network communication data, etc.
Through reverse analysis, an attacker can obtain a business secret in the software. For example, in antivirus software of a mobile phone, once an attacker performs reverse analysis to obtain specific details, executable codes such as a malicious code detection algorithm and a feature matching algorithm, and data files such as a malicious code feature library may be utilized by other similar software, or may be subjected to targeted defense or attack by a malicious code author.
In addition, in order to avoid reverse cracking, there are also a plurality of ways to prevent and avoid in the prior art, such as application number: 201610279693.1, protecting the android app of the user in a way of obfuscating the smali code, and enabling the code to be disassembled and decompiled, so that the time required for understanding the code is only increased; application No.: 201610206483.x performs encryption protection by the reversely compiled smali code, however, both the code and the encrypted data exist in the Android installation file and the Android device in a file form for a long time, and the cracking can still be completed by using the memory dump, so that for the Android application, a hacker can also find the spider horse to perform reverse cracking.
Disclosure of Invention
In view of the above-mentioned drawbacks and deficiencies of the prior art, it would be desirable to provide a solution that is highly safe and difficult to crack. In order to achieve one or more of the above objects, the present application provides a method and a system for reinforcing an android application against reverse cracking.
According to one aspect of the present invention, the present invention provides
A reinforcing method for preventing reverse cracking of an android application program comprises the following steps:
reversely assembling the android application program by using an android installation package compiling tool to generate an intermediate file;
traversing the classes in the generated intermediate file, and setting a corresponding class constructor for the class to be loaded;
extracting all intermediate files except the class constructor and the initialization function, encrypting and storing; and the number of the first and second groups,
and calling the dynamic link library to reinforce the executable file.
Preferably, before extracting all intermediate files except the class constructor and the initialization function for encryption, the method further comprises: and assembling the intermediate file provided with the class constructor by using an android installation package compiling tool, and recompiling the intermediate file into an executable file.
Preferably, encrypting the intermediate file further includes:
extracting the intermediate file to generate a shell program file and an entry address file; and the number of the first and second groups,
and modifying the entry address file to generate a modified entry.
Preferably, after the step of calling the dynamic link library to consolidate the executable file, the step of calling the dynamic link library further includes: and writing the reinforced file into the empty shell program file.
Preferably, the shell program file further includes a decryption process, where the decryption process includes: when the class needs to be loaded, calling a class constructor, and calling a bottom layer function through the class constructor so as to decrypt a code; and detecting whether the virtual machine is maliciously tampered by using a mathematical statistical method.
Preferably, the mathematical statistics method may include a regularity statistics or variance averaging method.
According to another aspect of the present invention, the present invention further provides a reinforcing system for preventing reverse cracking of an android application, including the following units:
the installation package obtaining unit is used for obtaining an original android installation package;
the reverse assembly unit is used for reversely assembling the android application program by utilizing an android installation package compiling tool so as to obtain an intermediate file;
a class builder unit: traversing classes in the generated intermediate file, and setting a corresponding class constructor for the class to be loaded;
an extraction encryption unit: extracting all intermediate files except the class constructor and the initialization function, encrypting and storing; and
and the reinforcement unit is used for calling the dynamic link library to reinforce the executable file.
Preferably, before extracting all the intermediate files except the class constructor and the initialization function for encryption, the extraction encryption unit further includes: assembling the intermediate file provided with the class constructor by using an android installation package compiling tool, and recompiling the intermediate file into an executable file
Preferably, the extraction encryption unit further includes:
extracting the intermediate file to generate a shell program file and an entry address file;
and modifying the entry address file to generate a modified entry.
Preferably, the system further comprises a writing unit for writing the dynamic link library into the empty shell file.
Preferably, the shell program file further comprises a decryption unit, and the decryption unit is used for calling the class constructor when the class needs to be loaded, and calling the bottom-layer function through the class constructor to decrypt the code; and detecting whether the virtual machine is maliciously tampered by using a mathematical statistical method.
Preferably, the mathematical statistics method may include a regularity statistics or variance averaging method.
According to another aspect of the present invention, the present invention further provides a method for decrypting an empty shell file, including the following steps:
obtaining an Android version number, and judging whether the version is a leaky version;
if the bug exists, adopting a rewriting function to repair the bug;
testing whether the system environment is 32-bit system environment, and if the system environment is 32-bit system environment, repairing the vulnerability of the 32-bit system virtual machine;
detecting whether the environment is an ARM processor environment;
detecting a java running environment, and judging whether the running environment is in a DVM mode or an ART mode;
detecting whether the memory image is a samsung customized read-only memory mirror image or not;
if the customized read-only memory mirror image is samsung, modifying the offset address of the executable file;
when the class needs to be loaded, calling a class constructor, and calling a bottom layer function through the class constructor so as to decrypt a code;
and detecting whether the virtual machine is maliciously tampered by using a mathematical statistical method.
Preferably, the version judged to have the leak is android3.0 or android1.6
According to the specific Android application program APK reinforcing method, system and decryption method provided by the embodiment of the invention, the content of the compiled SO file is difficult to identify by decrypting according to needs and customizing the format of the SO file, SO that the analysis time cost and the analysis difficulty of APK program logic are greatly increased, the safety of program codes is further improved, and the requirements of the Android application degree on static and dynamic reverse cracking are effectively met. In addition, the method and the system can be compatible with a plurality of versions of android, including android 6.0 and android4.0 below, and are suitable for running in a Samsung customized read-only memory mirror image and android4.4 art mode.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart of an Android application APK encryption method according to a preferred embodiment of the present invention.
Fig. 2 is a structural diagram of an Android application APK encryption system according to a preferred embodiment of the present invention.
FIG. 3 is a flowchart of a decryption method according to a preferred embodiment of the present invention.
Fig. 4 is a flowchart of a decryption method according to another preferred embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 is a flowchart illustrating a reinforcing method for preventing reverse cracking of an android application according to an embodiment of the present invention; as shown in fig. 1, the reinforcement method for preventing reverse cracking of the present invention includes the following steps:
step 101, obtaining an original android installation package of an android application;
in the android system, an application that can be installed and run needs to be packaged into an android installation package, that is, in an apk (android application package) file format. The APK is an abbreviation of Android Package, namely an Android installation Package. The code of an Android application program is required to be run on an Android device, and must be compiled and packaged into a file which can be recognized by an Android system to be run, and the file format which can be recognized and run by the Android system is 'APK'. An APK file may contain compiled code files (DEX files), resource folders (folders named res), certificates (certificates), manifest files (manifest files), and the like. The APK file is in a zip format, but the suffix name is modified into APK, and after Unzip decompression, an original DEX file in the APK file can be obtained, wherein DEX is the full name of Dalvik VM executions, namely an Android Dalvik executive program, namely the DEX file has a function similar to an EXE file in a Windows system.
102, reversely assembling the android application by using an android installation package compiling tool to obtain an intermediate file;
the android installation package compiling tool can be an apktool or Baksmali disassembler, and the intermediate file is a smali file. And disassembling DEX files in the android application, so that a smali folder is generated under the decompilated engineering directory, all decompilated smali files are stored in the smali folder, the files can generate corresponding directories according to the hierarchical structure of the program package, and all classes in the program can generate independent smali files under the corresponding directories.
Step 103, traversing the classes in the generated intermediate file, and setting a corresponding class constructor for the class to be loaded; preferably, the setting of the corresponding class constructor includes: traversing class functions in the smali file, determining that the classes need to be executed, and automatically adding a < clinit > mark; when the < clinit > tag is read, it indicates that execution of the program is to be directed.
104, using an android installation package compiling tool to carry out assembly operation on the smali file provided with the class constructor, and recompiling the smali file into an executable file; then extracting all intermediate files except the class initialization function and the initialization function, encrypting and storing;
the executable file is a DEX file, and the class initialization function and the initialization function are clinit and init functions respectively;
specifically, the above-mentioned Smali file provided with the class constructor is recompiled into a DEX file by using a known third-party assembler tool, apktool or Smali assembler, wherein the assembler tool and the disassembler tool should be matched with each other, for example, Smali and bakamali refer to an assembler and a disassembler of a DEX format file used by a Java virtual machine (Dalvik) in the android system, respectively.
Preferably, encrypting the file comprises:
extracting the smali codes to generate an empty-shell smali file and an entry address file;
and carrying out modification operation on the entry address file to generate a modified entry.
Preferably, the recompiled DEX may also be encrypted. The method specifically comprises the following steps: loading a DEX file, analyzing the DEX file into a DEX basic structure data file and a byte code data file, and calling a davlik virtual machine function openDEXFile to load the DEX basic structure data file. Separating the Head, String Table, Type Table, Proto Table, Field Table, Method Table, Class Def Table and Data selection of the DEX file to form a byte code Data file, and determining and reading the deviation value of each part of the file. Extracting byte code data in the DEX file and storing the byte code data in the DEX function realization byte code data file; each byte code data file is encrypted using a symmetric encryption algorithm. The encryption algorithm may be an encryption algorithm, and may be a conventional data encryption algorithm, such as AES (Advanced encryption standard), which encrypts the original DEX file to obtain an encrypted DEX file. Further, the original DEX file may be integrally encrypted, for example, the encryption Algorithm employs AES, the signature Algorithm employs RSA (public key encryption Algorithm), the digest Algorithm employs SHA1(Secure Hash Algorithm), and the encrypted DEX file may also be obtained.
And 105, reinforcing the executable file through the dynamic link library.
The reinforcement includes:
carrying out format analysis on the SO file to generate a custom format;
encrypting the custom format to generate an encrypted custom format;
and embedding the encrypted custom format into a linker loader.
Typically, SO files are dynamically linked libraries, which are essentially shared libraries, compiled from C or C + + languages. The SO file is loaded first at program start-up. And respectively decrypting the decompressed files by the SO files and calling openDEXFile to load the DEX basic structure data file. And sequentially repairing the offset of each function of the DEX basic structure data file according to the data in the byte code data file realized by the DEX function, and then, normally operating the program.
And 106, writing the dynamic link library into the empty shell program file, and further loading and operating through the empty shell program file. The empty shell program file is an empty shell smali file.
Preferably, the SO file is subjected to shell adding treatment, and the reinforced SO file is written into a shell program file as code data; the SO file in the shell file may be protected in the following manner. The method comprises the steps of removing local information in the SO file, namely realizing the loss of the local information of the SO file; SO that a complete SO file cannot be obtained; and (3) carrying out sectional encryption processing on the SO file: namely, the data section and the code section are respectively encrypted, so that the decryption difficulty is improved; and (3) performing code obfuscation processing on the SO file: the method provides the disorderly codes for the cracker, causes troubles and increases the cracking difficulty.
Preferably, the shell program file contains a code that can decrypt the hardened SO file. When loading and operating the SO file, the shell program file can operate before the SO file, obtain priority, decrypt the reinforced SO file,
as shown in fig. 3, the decryption process flow includes:
1. testing whether the system environment is a 32-bit system environment or not, and if the system environment is the 32-bit system environment, repairing the bug of the 32-bit system virtual machine;
preferably, the 32-bit system is X86, the virtual machine bug is a smali instruction set bug, and the repairing of the X86 virtual machine bug is the X86 assembly of an instruction set interpretation level in the virtual machine and the repairing is performed by adopting a hook technology;
2. detecting whether the environment is an arm environment;
3. detecting a java running environment, and judging whether the running environment is in a dvm mode or an art mode; preferably, the java runtime environment can be detected by loading libart. SO or libdvm. SO;
4. when the class needs to be loaded, calling a clinit function, calling a bottom-layer function through the clinit function to decrypt a code, and optimizing the code by traversing the code by adopting a red-black tree algorithm so as to achieve an O (lgn) level data structure;
preferably, the clinit function is used for guiding the program to be executed, the empty shell program file is executed after the corresponding program is executed, the dynamic link library is called through the empty shell program file, the corresponding program is called from the intermediate file through the dynamic link library, and the encrypted program is decrypted through the dynamic link library;
preferably, the decryption code comprises a step of circularly acquiring a DEXFile structure ClassDef by using an interface DEXGetClassDef, and a step of searching a class containing a clinit method by using GetStaticMethodID to realize active decryption; preferably, the Method for realizing active decryption is to circularly search decrypted codes of a Method structure in the memory, determine whether access flags have Native marks, and if not, indicate that active decryption is completed.
5. Detecting whether the virtual machine is maliciously tampered by using a mathematical statistical method to prevent a cracker from reversely cracking from a kernel layer; if the apk file is not tampered with maliciously, the apk file is dynamically loaded through the DEXClasLoader; the mathematical statistics method may include regularity statistics or variance averaging.
Preferably, in step 4, only the required classes are decrypted and dynamically loaded, and the classes which are not used exist in an encrypted form, and are encrypted after the class loading is finished. Thus, even if the program is decompiled, an attacker cannot obtain critical information because the important code is already hidden in the DEX file and is already encrypted. Because the original DEX file which is completely decrypted does not exist, the risk that the APK installation file is cracked and decompiled is reduced. SO that the source code of the SO file is restored to be complete, correctly code-ordered, non-encrypted and recoverable code.
According to the reinforcement method provided by the embodiment of the invention, the DEX file is disassembled to obtain the intermediate file, and the related instructions of the intermediate file are encrypted, so that the related instructions can be protected to obtain the protected DEX file, the analysis time cost and the analysis difficulty of the program logic are increased, and the safety of the program code is improved.
Fig. 2 is a block diagram illustrating a structure of a reinforcing system for preventing reverse cracking of an android application according to an embodiment of the present invention, where the system includes the following modules:
the installation package obtaining unit is used for obtaining an original android installation package;
the reverse assembly unit is used for reversely assembling the android application program by using an android installation package compiling tool to generate an intermediate file;
specifically, the android installation package compiling tool may be an apktool or a bakamali disassembler, and the intermediate file is a smali file. And disassembling DEX files in the android application, so that a smali folder is generated under the decompilated engineering directory, all decompilated smali files are stored in the smali folder, the files can generate corresponding directories according to the hierarchical structure of the program package, and all classes in the program can generate independent smali files under the corresponding directories.
A class builder unit: traversing the classes in the generated intermediate file, setting a corresponding class constructor for the class to be loaded, and encrypting and storing the extracted intermediate file;
preferably, the setting of the corresponding class constructor includes: traversing class functions in the smali file, determining that the classes need to be executed, and automatically adding a < clinit > mark; when the < clinit > tag is read, it indicates that execution of the program is to be directed.
Preferably, encrypting the file comprises:
extracting the smali codes to generate an empty-shell smali file and an entry address file;
and carrying out modification operation on the entry address file to generate a modified entry.
An extraction encryption unit: and assembling the intermediate file provided with the class constructor by using an android installation package compiling tool, and recompiling the intermediate file into a DEX file.
Specifically, the above-mentioned Smali file provided with the class constructor is recompiled into a DEX file by using a known third-party assembler tool, apktool or Smali assembler, wherein the assembler tool and the disassembler tool should be matched with each other, for example, Smali and bakamali refer to an assembler and a disassembler of a DEX format file used by a Java virtual machine (Dalvik) in the android system, respectively.
Preferably, the recompiled DEX may also be encrypted. The method specifically comprises the following steps: loading a DEX file, analyzing the DEX file into a DEX basic structure data file and a byte code data file, and calling a davlik virtual machine function openDEXFile to load the DEX basic structure data file. Separating the Head, String Table, Type Table, Proto Table, Field Table, Method Table, Class Def Table and Data selection of the DEX file to form a byte code Data file, and determining and reading the deviation value of each part of the file. Extracting byte code data in the DEX file and storing the byte code data in the DEX function realization byte code data file; each byte code data file is encrypted using a symmetric encryption algorithm. The encryption algorithm may be an encryption algorithm, and may be a conventional data encryption algorithm, such as AES (Advanced encryption standard), which encrypts the original DEX file to obtain an encrypted DEX file. Further, the original DEX file may be integrally encrypted, for example, the encryption Algorithm employs AES, the signature Algorithm employs RSA (public key encryption Algorithm), the digest Algorithm employs SHA1(Secure Hash Algorithm), and the encrypted DEX file may also be obtained.
And the reinforcing unit is used for reinforcing the DEX file through the dynamic link library.
Preferably, the reinforcement unit includes:
an analysis unit: the system is used for carrying out format analysis on the SO file to generate a custom format;
the extraction unit is used for extracting the SO file to generate an extracted custom format;
the encryption unit is used for encrypting the custom format;
the modifying unit is used for modifying the modifying entrance function to generate a modified entrance;
the protection code unit is used for embedding a protection code in the encrypted custom format;
and the embedding unit is used for embedding the self-defined format after the encryption and the embedding of the protection code into the linker loader.
Typically, SO files are dynamically linked libraries, which are essentially shared libraries, compiled from C or C + + languages. The SO file is loaded first at program start-up. And respectively decrypting the decompressed files by the SO files and calling openDEXFile to load the DEX basic structure data file. And sequentially repairing the offset of each function of the DEX basic structure data file according to the data in the byte code data file realized by the DEX function, and then, normally operating the program.
A writing unit: and writing the dynamic link library into the empty shell intermediate file, and further loading and operating through the empty shell program file. The empty shell program file is an empty shell smali file.
Preferably, the shell program file further includes a decryption unit, and the decryption unit includes: testing whether an x86 environment exists, and if so, repairing the x86 virtual machine vulnerability through the x86 environment; detecting whether the environment is an arm environment; detecting a java running environment, and judging whether the running environment is in a dvm mode or an art mode; when the class needs to be loaded, calling a clinit function, calling a bottom-layer function through the clinit function to decrypt a code, and optimizing the code by traversing the code by adopting a red-black tree algorithm so as to achieve an O (lgn) level data structure; and (3) detecting whether the virtual machine is maliciously tampered by using a mathematical statistic method to prevent a cracker from reversely cracking from the kernel layer. The mathematical statistical method may include a regularity statistical method or a variance averaging method.
Meanwhile, the decryption process solves the compatibility of the system by judging the environments of the virtual machine, the arm and the java.
Figure 4 shows a flow of a progressive decryption method according to another embodiment of the invention,
the decryption process further solves the decryption process of the samsung customized read-only memory mirror image under different android versions, and the process specifically comprises the following steps:
1. obtaining an Android version number, and judging whether the version is a leaky version;
2. judging whether the version with the holes is android3.0 or android 1.6;
3. if the bug exists, adopting a rewriting function to repair the bug;
4. testing whether the system environment is 32-bit system environment, and if the system environment is 32-bit system environment, repairing the vulnerability of the 32-bit system virtual machine;
preferably, the 32-bit system is X86, the virtual machine bug is a smali instruction set bug, the X86 virtual machine bug is repaired, and the X86 assembly at the instruction set interpretation level in the virtual machine is repaired by adopting a hook technology;
5. detecting whether the environment is an arm environment;
6. detecting a java running environment, and judging whether the running environment is in a dvm mode or an art mode; preferably, the java runtime environment can be detected by loading libart. SO or libdvm. SO;
7. detecting whether the ROM is a Samsung customized read-only memory mirror ROM;
preferably, the offset address for loading the DEX of the Samsung customized read-only memory mirror ROM is fundamentally different from the original android version, so that whether the Samsung customized read-only memory mirror ROM exists is judged;
8. if the address is the samsung customized read-only memory mirror image, modifying the DEX offset address of the executable file, otherwise, directly executing the step 9;
wherein the checksum, signature, file _ size, header _ size, string _ ids _ off, type _ ids _ off, proto _ ids _ off, field _ ids _ off, method _ ids _ off, class _ defs _ off, and data _ off correlations in the DEX header may be modified. The map _ off data is analyzed to modify the associated data offset.
9. When the class needs to be loaded, calling a clinit function, calling a bottom-layer function through the clinit function to decrypt a code, and optimizing the code by traversing the red and black tree algorithm to achieve an O (lgn) level data structure;
further, the decryption code comprises a step of circularly acquiring a DEXFile structure ClassDef by using an interface DEXGetClassDef, and a step of searching a class containing a clinit method by using GetStaticMethodID to realize active decryption; further, the Method for realizing active decryption is to circularly search the decrypted code of the Method structure in the memory, judge whether access flags have Native marks, and if not, indicate that the active decryption is finished.
10. Detecting whether the virtual machine is maliciously tampered for cracking by using a mathematical statistical method; the mathematical statistics method may include regularity statistics or variance averaging.
In step 9, only the required classes are decrypted and dynamically loaded, and the classes which are not used exist in an encrypted form, and are encrypted after the class loading is finished. Thus, even if the program is decompiled, an attacker cannot obtain critical information because the important code is already hidden in the DEX file and is already encrypted. Because the original DEX file which is completely decrypted does not exist, the risk that the APK installation file is cracked and decompiled is reduced. The method solves the problem that the code is broken down due to the problem of system bugs during running, and greatly improves the compatibility problem during reinforcement.
The above description is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (12)
1. A reinforcing method for preventing reverse cracking of an android application program comprises the following steps:
reversely assembling the android application program by using an android installation package compiling tool to generate an intermediate file;
traversing the classes in the generated intermediate file, and setting a corresponding class constructor for the class to be loaded;
extracting all intermediate files except the class constructor and the initialization function, encrypting and storing the intermediate files, extracting the intermediate files to generate a shell program file and an entry address file,
calling a dynamic link library to reinforce the executable file; and
writing the reinforced file into the empty shell program file; wherein
The setting corresponding class constructor comprises: traversing class functions in the smali file, determining that the classes need to be executed, and automatically adding a < clinit > mark; when the < clinit > tag is read, it indicates that execution of the program is to be directed.
2. The method of claim 1, before extracting all intermediate files for encryption except the class constructor and the initialization function, further comprising: and assembling the intermediate file provided with the class constructor by using an android installation package compiling tool, and recompiling the intermediate file into an executable file.
3. The method of claim 1, encrypting the intermediate file further comprising:
and modifying the entry address file to generate a modified entry.
4. The method according to claim 1, wherein the shell program file further comprises a decryption process, and the decryption process comprises: when the class needs to be loaded, calling a class constructor, and calling a bottom layer function through the class constructor so as to decrypt a code; and detecting whether the virtual machine is maliciously tampered by using a mathematical statistical method.
5. The method of claim 4, wherein the mathematical statistical method comprises a variance averaging approach.
6. A reinforcing system for preventing reverse cracking of an android application program comprises the following units:
the installation package obtaining unit is used for obtaining an original android installation package;
the reverse assembly unit is used for reversely assembling the android application program by utilizing an android installation package compiling tool so as to obtain an intermediate file;
a class builder unit: traversing classes in the generated intermediate file, and setting a corresponding class constructor for the class to be loaded; the setting corresponding class constructor comprises: traversing class functions in the smali file, determining that the classes need to be executed, and automatically adding a < clinit > mark; when the < clinit > tag is read, it indicates that the program is to be directed to execute;
an extraction encryption unit: extracting all intermediate files except the class constructor and the initialization function, encrypting and storing the intermediate files, and performing extraction operation on the intermediate files to generate a shell program file and an entry address file;
the reinforcement unit is used for calling the dynamic link library to reinforce the executable file; and
and the writing unit is used for writing the dynamic link library into the empty shell program file.
7. The system of claim 6, the extraction encryption unit, before extracting all intermediate files for encryption except the class constructor and the initialization function, further comprises: and assembling the intermediate file provided with the class constructor by using an android installation package compiling tool, and recompiling the intermediate file into an executable file.
8. The system of claim 6, the decimation encryption unit further comprising:
and modifying the entry address file to generate a modified entry.
9. The system according to claim 6, wherein the shell program file further comprises a decryption unit, and the decryption unit is configured to call the class constructor when the class needs to be loaded, and call the underlying function through the class constructor to decrypt the code; and detecting whether the virtual machine is maliciously tampered by using a mathematical statistical method.
10. The system of claim 9, wherein the mathematical statistical method comprises a variance averaging approach.
11. A method for decrypting an empty file corresponding to the method of any one of claims 1 to 5, comprising the steps of:
obtaining an Android version number, and judging whether the version is a leaky version;
if the bug exists, adopting a rewriting function to repair the bug;
testing whether the system environment is 32-bit system environment, and if the system environment is 32-bit system environment, repairing the vulnerability of the 32-bit system virtual machine;
detecting whether the environment is an ARM processor environment;
detecting a java running environment, and judging whether the running environment is in a DVM mode or an ART mode;
detecting whether the memory image is a samsung customized read-only memory mirror image or not;
if the customized read-only memory mirror image is samsung, modifying the offset address of the executable file;
when the class needs to be loaded, calling a class constructor, and calling a bottom layer function through the class constructor so as to decrypt a code;
and detecting whether the virtual machine is maliciously tampered by using a mathematical statistical method.
12. The method of claim 11, wherein the version determined to have a leak is android3.0 or android 1.6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611265457.0A CN106778103B (en) | 2016-12-30 | 2016-12-30 | Reinforcement method, system and decryption method for preventing reverse cracking of android application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611265457.0A CN106778103B (en) | 2016-12-30 | 2016-12-30 | Reinforcement method, system and decryption method for preventing reverse cracking of android application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106778103A CN106778103A (en) | 2017-05-31 |
| CN106778103B true CN106778103B (en) | 2020-03-13 |
Family
ID=58951480
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611265457.0A Active CN106778103B (en) | 2016-12-30 | 2016-12-30 | Reinforcement method, system and decryption method for preventing reverse cracking of android application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106778103B (en) |
Families Citing this family (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107480513B (en) * | 2017-08-17 | 2020-09-11 | 深信服科技股份有限公司 | Authentication implementation method and device, computer device and readable storage medium |
| CN107977553B (en) * | 2017-12-25 | 2020-07-10 | 中国电子产品可靠性与环境试验研究所 | Method and device for security reinforcement of mobile application program |
| CN108491235B (en) * | 2018-03-21 | 2021-03-30 | 北京理工大学 | DEX protection method combining dynamic loading and function Native |
| CN108733379B (en) * | 2018-05-28 | 2022-04-08 | 常熟理工学院 | Android application reinforcement method based on DEX byte code extraction mapping confusion |
| CN108846264A (en) * | 2018-06-11 | 2018-11-20 | 北京奇虎科技有限公司 | Code reinforcement means, device, intelligent terminal and computer readable storage medium |
| CN108959860B (en) * | 2018-07-20 | 2020-11-17 | 厦门市美亚柏科信息股份有限公司 | Method for detecting whether Android system is cracked or not and obtaining cracking record |
| CN110210256B (en) * | 2018-08-07 | 2023-06-06 | 腾讯科技(深圳)有限公司 | Application reinforcement, reinforcement application starting method and device and server |
| CN109214148A (en) * | 2018-09-03 | 2019-01-15 | 平安普惠企业管理有限公司 | A kind of dex file abstracting method, system and terminal device |
| CN109344577A (en) * | 2018-09-25 | 2019-02-15 | 四川大学 | A kind of method for carrying out software protection using self-modifying technology under ART |
| CN109543369B (en) * | 2018-11-23 | 2022-03-25 | 杭州哲信信息技术有限公司 | DEX protection method |
| CN109840425B (en) * | 2019-01-22 | 2020-07-31 | 北京数科网维技术有限责任公司 | File encryption method and device |
| CN110175067B (en) * | 2019-03-05 | 2023-06-13 | 广东电网有限责任公司信息中心 | Mobile application three-dimensional defense method and system |
| CN110427757A (en) * | 2019-08-06 | 2019-11-08 | 南方电网科学研究院有限责任公司 | Android vulnerability detection method, system and related device |
| CN110610097A (en) * | 2019-09-09 | 2019-12-24 | 杭州天宽科技有限公司 | File transmission security system based on android application |
| CN110765424B (en) * | 2019-10-22 | 2021-07-09 | 福州汇思博信息技术有限公司 | Android application reinforcement method and computer equipment |
| CN110990056A (en) * | 2019-11-01 | 2020-04-10 | 北京三快在线科技有限公司 | Reverse analysis method, device, electronic equipment and storage medium |
| CN111274551B (en) * | 2019-12-30 | 2023-06-27 | 上海上讯信息技术股份有限公司 | Compiler-based java code protection method and device and electronic equipment |
| CN111190604B (en) * | 2019-12-30 | 2023-11-03 | 航天信息股份有限公司 | Android application memory confusion method and device, electronic equipment and medium |
| CN111967032B (en) * | 2020-08-27 | 2023-08-25 | 长城计算机软件与系统有限公司 | File encryption method and decryption method based on confusion processing |
| CN112347431A (en) * | 2020-10-31 | 2021-02-09 | 山东开创云计算有限公司 | Android application reinforcement protection method |
| CN112671715B (en) * | 2020-12-03 | 2023-05-09 | 上海连尚网络科技有限公司 | Method and device for guaranteeing data security communication of application |
| US11886584B2 (en) * | 2021-05-28 | 2024-01-30 | AO Kaspersky Lab | System and method for detecting potentially malicious changes in applications |
| CN113934461B (en) * | 2021-09-26 | 2023-10-13 | 厦门亿联网络技术股份有限公司 | DEX-based android system formatting method and device |
| CN113836582A (en) * | 2021-09-30 | 2021-12-24 | 西安诺瓦星云科技股份有限公司 | Software encryption and decryption method and device, electronic equipment and storage medium |
| CN116522343B (en) * | 2023-07-05 | 2023-09-08 | 北京国御网络安全技术有限公司 | Native function attack defending method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945351A (en) * | 2012-11-05 | 2013-02-27 | 中国科学院软件研究所 | Security vulnerability fixing method based on two-dimensional code for mobile intelligent terminal in cloud environment |
| CN104484585A (en) * | 2014-11-26 | 2015-04-01 | 北京奇虎科技有限公司 | Application program installation package processing method and device, and mobile apparatus |
| CN105740714A (en) * | 2016-02-01 | 2016-07-06 | 中国人民大学 | Method and device for repairing system library bug on Android platform |
-
2016
- 2016-12-30 CN CN201611265457.0A patent/CN106778103B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945351A (en) * | 2012-11-05 | 2013-02-27 | 中国科学院软件研究所 | Security vulnerability fixing method based on two-dimensional code for mobile intelligent terminal in cloud environment |
| CN104484585A (en) * | 2014-11-26 | 2015-04-01 | 北京奇虎科技有限公司 | Application program installation package processing method and device, and mobile apparatus |
| CN105740714A (en) * | 2016-02-01 | 2016-07-06 | 中国人民大学 | Method and device for repairing system library bug on Android platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106778103A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106778103B (en) | Reinforcement method, system and decryption method for preventing reverse cracking of android application program | |
| Sun et al. | Taintart: A practical multi-level information-flow tracking system for android runtime | |
| KR101471589B1 (en) | Method for Providing Security for Common Intermediate Language Program | |
| Roundy et al. | Binary-code obfuscations in prevalent packer tools | |
| CN108229112B (en) | Protection application program, and running method and device of application program | |
| US8205096B2 (en) | Software license embedded in shell code | |
| KR101503785B1 (en) | Method And Apparatus For Protecting Dynamic Library | |
| EP1936532A1 (en) | Obfuscating computer program code | |
| WO2016078130A1 (en) | Dynamic loading method for preventing reverse of apk file | |
| US20170024230A1 (en) | Method, apparatus, and computer-readable medium for ofuscating execution of an application on a virtual machine | |
| CN104462959A (en) | Reinforcement protection method, sever and system for android app | |
| CN109255235B (en) | Mobile application third-party library isolation method based on user state sandbox | |
| CN107430650B (en) | Securing computer programs against reverse engineering | |
| WO2015192637A1 (en) | Method and apparatus for reinforced protection of software installation package | |
| CN107273723B (en) | So file shell adding-based Android platform application software protection method | |
| Shioji et al. | Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks | |
| Li et al. | AppSpear: Automating the hidden-code extraction and reassembling of packed android malware | |
| CN108595950A (en) | A kind of safe Enhancement Methods of SGX of combination remote authentication | |
| Lim et al. | Structural analysis of packing schemes for extracting hidden codes in mobile malware | |
| El-Harake et al. | Blocking advertisements on android devices using monitoring techniques | |
| CN112134905B (en) | Android system based signature method, device and equipment | |
| CN107209815B (en) | Method for code obfuscation using return-oriented programming | |
| Abrath et al. | Obfuscating windows dlls | |
| Wan et al. | Defending application cache integrity of android runtime | |
| Saıdi et al. | Experiences in malware binary deobfuscation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |